Worm: W32.areses.h@mm
free web hosting
Open Discussion > CONTRIBUTE > Computers > Computer Security Issues & Exploits

Worm: W32.areses.h@mm

jibnet
Jun 5 2006, 12:03 PM
QUOTE
W32.Areses.H@mm is a mass-mailing worm that opens a back door on the compromised computer and may download files.

When W32.Areses.H@mm is executed, it performs the following actions:


Copies itself as the following file:

%Windir%\csrss.exe

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Adds the value:

"Debugger" = "[PATH TO WORM]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe


Adds the value:

"Application" = "[VARIABLE DWORD VALUE]"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices


Deletes the value:

"BootExecute" = "autocheck autochk *"

from the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\Session Manager


Attempts to inject its code into the svchost.exe and sevices.exe processes.


Checks for the presence of the 127.0.0.1 string in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
\Interface\[INTERFACE CLSID]\"NameServer"

Note: If the above value is found, it stops the mass-mailing routine.


Creates the following archive that contains a copy of itself:

%Temp%\message.zip

Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).


Gathers email addressess from files with the following extensions:


.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
.dhtml

The worm avoids email addresses that contain any of the following strings:


@example.
2003
2004
2005
2006
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
.qmail
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
0000
Mailer-Daemon@
@subscribe
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
torvalds@
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
spm111@
..
-0
.00
@.
---
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@


Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: Spoofed.

Subject: [RANDOM]

Message: [RANDOM]

Attachment: [RANDOM]


Tries to contact the following Web sites and may attempt to download a remote file:


[http://]85.249.23.35/m2/g.p[REMOVED]
[http://]207.46.250.119/g/m.p[REMOVED]
[http://]84.22.161.192/s/f[REMOVED]


Opens a back door on a random TCP port.


RECOMMENDATIONS:


I encourage all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.
Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.


Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
Run a full system scan.
If any files are detected, follow the instructions displayed by your antivirus program.



Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices


In the right pane, delete the value:

"Application" = "[VARIABLE DWORD VALUE]"


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe


In the right pane, delete the value:

"Debugger" = "[PATH TO WORM]"


Exit the Registry Editor.


Notice from serverph:
COPIED without proper QUOTES as reported by Avalon.
Sourced from: http://www.symantec.com/avcenter/venc/data...reses.h@mm.html
Warning served. Quote tags added.

as this is strike 3 already, POSTING DISABLED FOR 7 DAYS.

 

 

 


Reply

Avalon
Jun 5 2006, 12:19 PM
IPB Image

Reply

jibnet
Jun 5 2006, 12:43 PM
I believe its not spamming.. I saw a lots of post here where users wanted to learn C programming thats why i published this information. And anyways how can u call my information SPAM. there isnt a single place where i have written that i am the author for information. Its just sharing of information.

Reply

serverph
Jun 5 2006, 05:05 PM
CLOSED.

Reply


Got an Opinion! Express your Views! (no registration):-
Add your Reply/ Opinion/ Views/ Comments/ Suggestion/ Questions/ Queries etc.
Posts with decent grammar & English will be accepted and please refrain from profanities.
For asking a Question, We recommend you to sign-up (for free) so that you can track the topic easily.

Nature of your Post*: Opinion/ Reply/ Comments
Question/Query
Feedback to us.
       
Name   Email
Title/Question*

(Maximum characters: 10,000)
You have characters left.

Recent Queries:-
  1. areses tool - 615.04 hr back. (1)
Similar Topics

Keywords : worm, w32, areses, h, mm

  1. The War Of Candies!
    Gummy, bear or worm?! (13)
  2. Openoffice Worm Hits Mac, Linux And Windows
    (1)
    i found this on zdnet QUOTE According to the Symantec Security Response Web site, the worm is
    capable of infecting multiple operating system platforms and is spreading. The advisory said: "A
    new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows,
    Linux, and Mac OS X systems. Be cautious when handling OpenOffice files from unknown sources". In
    an interview with ZDNet Australia on Thursday, Dr Jan Hruska, who co-founded rival antivirus firm
    Sophos and was one of the first ever PC antivirus experts, said that Apple Mac's ....
  3. Skype Worm Jumps To Icq And Msn
    (3)
    Well if you all remember a few months back I made a topic about the skype worm here , well it seems
    to have busted out two clones one for ICQ and for MSN. the new variation showed up sometime at the
    beginning of the week for these two networks and if memory serves me correctly and it usually does,
    these two messenger networks are huge. Now in order for this worm to be activated a user must click
    on a link and once they do that the worm will start sending messages to your contact list and get
    others to click on that link as well. Although security experts rate this ....
  4. New Virus Called Storm Worm Or W32/nuwar@mm Is Out And About
    WINZIP/Rar be WARNED (4)
    To think the Microsoft ANI exploit and the botnet things were bad but this just top the charts, this
    new variation of the Storm virus of last year gets a new powerful punch. The virus gets sent
    through a password protected zip fil in which the password is contain in a image file in the email.
    The email subject contains either Worm Alert!" or "Trojan Detected! so do not open and just
    delete it. Also the image file will read something like UrgentNotice.gif" or "AbuseReport.gif. and
    the zip file will read something like "patch-####.zip" or "removal-####.zip.". ....
  5. New Worm Attacking Symantec Products
    Check this if you use symantec! (5)
    Hey guys, en route to college earlier i was reading the metro paper, the free one on the tube, and i
    found this article: http://www.metro.co.uk/news/article.html?i...p;in_page_id=34 which warns of a
    new worm attacking symantec anti virus: CODE Major companies are at risk from a crippling new
    computer bug which targets their antivirus software, it was claimed on Thursday night. Already, a
    division of the world's biggest media corporation, Time Warner, has been hit. Experts believe a
    disgruntled hacker with a grudge against software firm Symantec is behind the....
  6. A Worm? A Trojan? A Virus?
    (4)
    Recently I screwed my computer just goin online on the net. I dont know what it is but it's
    really gettin on my nerves... I will tell you what it does whenever i go online on yahoo it sends
    some messages to all my contacts every so often changes my status name to some *BLEEP* n it is
    undetectable by anti virus....
  7. Myspace.com Flash Hack
    account hijacked worm and solution (13)
    Well buffaloHELP just mention and I have confirmed it by many articles myspace accounts have been
    hacked or in hte sense that if your account was hijacked then anyone viewing your profile will also
    get infected as well. In a article by chaseandsam.com go into detail on how this happen and a
    solution to it as well Click here for more ---WARNING--- Also this hack is also a virus in
    which a person who is viewing your hacked profile will get their profile hijacked as well. Also
    Symantec mentions about it as well Nortan How it was done ---SOLUTION--- ....
  8. Worm Disguises As Windows Genuine Advantage
    be careful of the wgavn service ... (5)
    QUOTE IT security experts have warned of a worm that purports to be Microsoft's Windows
    Genuine Advantage (WGA) anti-piracy tool. WGA has recently been branded as 'spyware' in
    that it collects unnecessary hardware and software data from users' PCs. The Cuebot-K worm
    spreads via AOL Instant Messenger, registering itself as a new system driver service called
    'wgavn'. It carries the display name 'Windows Genuine Advantage Validation
    Notification', and runs automatically during system startup. Once in place the worm disables
    the Wi....
  9. Alcra D Worm
    PLEASE HELP (10)
    I have the Alcra D worm which starts up limewire and disables regedit and other things. If anyone
    knows how to get rid of this tell me. PLEASE. I have adaware, but it never seems to find it. I cant
    use ctrl alt delete and limewire slows my computer down because it opens non stop. SO PLEASE HELP. I
    have tried other things, but they never seem to work. I found a program for the type B worm, but it
    dosnt work for D i tried. Any info on this post back. If you use limewire and it keeps opening this
    is what you have by the way. And i love how limwire's FAQ says you have a ....
  10. Nyxem E - Be Safe From This Virus/worm
    Latest Mass Mailing Worm (14)
    QUOTE Windows users are being urged to scan their computers before 3rd February 2006 to avoid
    falling victim to a destructive Worm. On that date the Nyxem E Worm is set to delete Word,
    Powerpoint, Excel and Acrobat files on infected machines! Don't get caught out... See
    complete article at http://www.updatexp.com/nyxem-e.html Better get your anti-virus updated by
    3rd Febuary before seeing your files go missing. It's kindda scary worm if not handled properly.
    The date is near so get updated fast. Edited topic title. ....
  11. Keylogger And Worm Cleanup Help
    Please Help Me (13)
    I just scanned my computer, with a program. it says it has some keyloggers and worms. how do i
    delete/take off them!?! here are some pics. : ....
  12. Microsoft Plugs Windows Worm Holes
    14 flaws in Windows... (3)
    http://news.zdnet.com/2100-1009_22-5893344.html?tag=nl.e589 Here is another proof that the words
    'Windows' and 'Security' simply cannot go together... And yet another good reason
    for installing and start using Linux... Cheers! KoYoda....
  13. New Worm
    zotob (1)
    QUOTE The worm is a packed PE executable file 22528 bytes long. Installation to system When
    run, the worm copies under %SYSTEM% directory using the name 'botzor.exe' and creates a
    named mutex 'B-O-T-Z-O-R' for making sure that only one copy of the worm is run at the same
    time. Then it adds the following registry entries to ensure that it is started when a user logs on
    or the system is restarted: "WINDOWS SYSTEM" = "botzor.exe" The worm also adds the
    following registry key for diasabling shared access service: "Start" = "4" Spr....
  14. New Worm!
    Please note! New Worm here! (9)
    OK! Mircosoft has just discovered a new worm. I repeat! NEW WORM! The new worm is called
    "Zotob". It's a worm that can takes weeks, months, to get embeded into your system and take
    over. It digs so deep that it's very difficult to erase. So PLEASE! Listen carefully!
    Zotob -- The worm targets Windows 2000 Computers and once it's embeded, it'll try sending
    itself to other computers! The worm IS *NOT* caught by emails, websites, anything. It's a
    worm that opens itself, so you have to be really carefull now. What it does: Is si....
  15. New Worm, M$ Users, Be Warned!
    WORM_ZOTOB.D and WORM_RBOT.CBQ (11)
    New Virus is emerging. Microsoft users, be alerted!. This is one of the reason why i dont really
    like M$ stuff, but still, i need it really much despite of its problems QUOTE Dear Trend
    Micro customer, As of August 16, 2005 5:12 PM (Pacific Daylight Time; GMT-7:00), TrendLabs has
    declared a Medium Risk Virus Alert to control the spread of WORM_ZOTOB.D and WORM_RBOT.CBQ.
    TrendLabs has received several infection reports indicating that this malware is spreading in
    Brazil and the U.S.A. WORM_ZOTOB.D is a memory-resident worm that drops a copy of itself in ....
  16. A Worm Sig : By Mayank
    please rate and comment (12)
    Hey friends....yesterday i posted my first ever sig...and got some good responce...and very nice
    tips, today i have made another sig. here are the details. Render : Worms (taken from
    planetrenders.net) Brush : Forgot which one i used...but was from deviantart. Font : Georgia Bold
    Italic and Arial Bold Italic Effect Used : Supernova on the sword. Created With : THE GIMP 2.2
    (windows version) Image Hosted at : imageshack.us Please comment and tell me wheather i was able to
    remove the problems as seen in the last SIG. ....
  17. I Am A Worm
    Newest song ive written (7)
    "I am A Worm" Verse: Raging war against the law of my mind Making me a prisoner of the law of sin
    My tears have fed me day and night My heart turns to wax, it melts within Waging war again, and
    again Pre-Chorus: What a wretched man am I What a wretched man Chorus: Who will rescue me from
    this Body of death Thanks be to God Through the Son I am a worm and not a man All my bones are out
    of joint Verse: When i want to do good Evil is there with me When i want to do good Evil's
    there tempting me My tears have fed me day and night Pre-Chorus: What a wretched man am I....
  18. New Virus Kills Music Files
    Nopir.B worm wipes out all mp3 and com files (19)
    http://english.chosun.com/w21data/html/new...0504250004.html Not only does it not differentiate
    between legal and illegal mp3 files, it also doesn't let you reboot your computer. So far,
    it's been circulating only in Europe, but those in the US and Asia had better take caution as
    well. It's only a matter of time.......
  19. phpBB - worm... important!!!
    (15)
    i read somwhere today that there is some fast spreading worm attacking phpBB forums. like that he
    erazes all data and change start page to somethng like... this page is infected with a worm...
    :roll: it spreads by using the google.. dunno what that meens.. i just had some small info in some
    news on site in croatian language so i doubt like to it will help u /tongue.gif' border='0'
    style='vertical-align:middle' alt='tongue.gif' /> .. and nothing more. any1 know something
    more???....


      20. Looking for worm, w32, areses, h, mm

*RANDOM STUFF*





*SIMILAR VIDEOS*
Searching Video's for worm, w32, areses, h, mm
Watch the latest videos on YouTube.com

*MORE FROM TRAP17.COM*
advertisement



Worm: W32.areses.h@mm



 

 

 

 

ADD REPLY / Got an Opinion! a humble request :-) RAPID SEARCH! Free Hosting [X]
Express your Opinions, Thoughts or Contribute your information that might help someone here.
Ask your Doubts & Queries to get answers.. "Together, We enlight each other!" 		Register FREE for AD-FREE forum, Create your own topics, Ask Questions, track topics, setup subscriptions & notifications and Get a Free Website w/ Email and FTP.
500MB Space *No Ads*, CPanel, FTP, PHP, MySQL, EMails - 100% FREE